Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 01:29
Static task
static1
Behavioral task
behavioral1
Sample
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe
Resource
win7-20220414-en
General
-
Target
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe
-
Size
122KB
-
MD5
2085da3926285d53a13b68175bdf2ccb
-
SHA1
0853c04cd6646e3a33145d240290298a89eb3828
-
SHA256
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86
-
SHA512
7d13b931cfed63123107abc0a0ab5c6f3a616c5b22194bfb64e3b5035e94ee0b3a855f1a113eb4b214e0ebf9d328a54f11a855c0a7a897079e098b8c842ada24
Malware Config
Extracted
systembc
dasd13d.com:4035
dasd13d.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
batmeh.exepid process 4088 batmeh.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 4 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4F8CE699-6DBA-4850-A5BF-991AC404D8DA}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{397385AA-FA6B-4E0C-B59B-32DAA9BC51E0}.catalogItem svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exedescription ioc process File created C:\Windows\Tasks\batmeh.job cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe File opened for modification C:\Windows\Tasks\batmeh.job cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1084 3808 WerFault.exe cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exepid process 3808 cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe 3808 cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe"C:\Users\Admin\AppData\Local\Temp\cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 4842⤵
- Program crash
-
C:\ProgramData\ucivphv\batmeh.exeC:\ProgramData\ucivphv\batmeh.exe start1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3808 -ip 38081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ucivphv\batmeh.exeFilesize
122KB
MD52085da3926285d53a13b68175bdf2ccb
SHA10853c04cd6646e3a33145d240290298a89eb3828
SHA256cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86
SHA5127d13b931cfed63123107abc0a0ab5c6f3a616c5b22194bfb64e3b5035e94ee0b3a855f1a113eb4b214e0ebf9d328a54f11a855c0a7a897079e098b8c842ada24
-
C:\ProgramData\ucivphv\batmeh.exeFilesize
122KB
MD52085da3926285d53a13b68175bdf2ccb
SHA10853c04cd6646e3a33145d240290298a89eb3828
SHA256cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86
SHA5127d13b931cfed63123107abc0a0ab5c6f3a616c5b22194bfb64e3b5035e94ee0b3a855f1a113eb4b214e0ebf9d328a54f11a855c0a7a897079e098b8c842ada24
-
memory/3808-131-0x0000000000A50000-0x0000000000A59000-memory.dmpFilesize
36KB
-
memory/3808-130-0x0000000000AB8000-0x0000000000ABF000-memory.dmpFilesize
28KB
-
memory/3808-132-0x0000000000400000-0x00000000008BC000-memory.dmpFilesize
4.7MB
-
memory/4088-135-0x00000000008E3000-0x00000000008E9000-memory.dmpFilesize
24KB
-
memory/4088-136-0x0000000000A30000-0x0000000000A39000-memory.dmpFilesize
36KB
-
memory/4088-137-0x0000000000400000-0x00000000008BC000-memory.dmpFilesize
4.7MB